Shawdesh desk:
When Google issued its September security release last week, it warned that Android devices are under attack. Not Samsung users, though, who were already protected after the company rushed out its own fix a month earlier. But not all users actually got that critical update, and so be warned, your device might now be at serious risk.
The now fixed threat to the wider Android ecosystem comes from CVE-2024-32896, a vulnerability disclosed in April which has now been fixed in multiple parts. This has been exploited by forensic companies as part of a chain attack, combining multiple vulnerabilities. It was originally—wrongly—tagged as being Pixel specific before Google acknowledged it was a wider Android issue.
What’s interesting about CVE-2024-32896 is that the U.S. government’s cyber agency issued an update or stop using your device warning for Pixels back in June, back when it was thought to be just a Pixel issue. That warning was never corrected. However, Samsung’s August security update also included a fix for CVE-2024-36971, which also triggered a U.S., government warning and an August 28 update deadline. But this time it applied across the Android ecosystem.
I had originally been told the patch for CVE-2024-32896 beyond Pixel would be some months away. But Samsung, to its credit, informed me that it would release the patch earlier than expected in August—and did just that.
Having dodged the CVE-2024-32896 bullet, I asked Samsung if they would accelerate the August release and widen its availability beyond the usual monthly versus quarterly versus biannual scope, given the government’s CVE-2024-36971 update deadline. I was told no, that the usual schedule would apply.
This was disappointing and confirms the bad news for Galaxy users outside monthly updates. If you’re not due an update you won’t get one—even if there’s a government deadline in place. Beyond some S20s and U.S. users seeming to be on an accelerated update schedule for the month, I didn’t see any variation from scope.
And so, as the news breaks that more Samsung devices have just fallen off the update scope, “including the Galaxy Tab S7 series and the Galaxy Z Flip 5G,” millions of users will need to upgrade to keep their phones safe from such vulnerabilities.
But I’ll go further, much further. With multiple threats hitting Android this year and it being clear that the update scope is exactly as it says, this isn’t the time to fall off support. You can see Samsung’s security scope here, and unpopular though it might be, in my view if your device is not on the monthly list, you need to upgrade.
Leave a Reply